TUES:Type 1 EDURange: A Configurable, Documented
Cybersecurity Scenario Platform to Enhance Systems Security Analysis Skills
EDURange is an NSF-funded project with the aim of building cloud-based interactive security exercises. This suite of exercises is intended to help supplement classroom lectures, labs, and other activities.
Our goal in creating EDURange was to twofold. First, we want to reduce barriers to access by placing these exercises in the cloud (we currently host on Amazon EC2) so that all that students and professors need is a browser and a command line – no complicated virtual machine clients or plugins.
Second, we wanted to build exercises that focus on highly interactive, competitive, and dynamic scenarios. We acknowledge that a number of instructors, both academic and industry, have created a lot of very good (and some not-so-good) exercises, training material, and lab manuals over the years. Kevin Du’s SEED manual is a fine example of intense effort poured into creating very good exercises over a number of years.
Our aim is very different from most. Instead of teaching canned scenarios or simple examples, we wanted to create a puzzle environment where each run of the scenario was different. To help us keep this design focus, the key question we ask ourselves (besides “has this exercise been done before?”) is: what kind of analysis skill do we expect the students to acquire from running (and re-running) this scenario? As you can see, our central and very intense focus is on creating exercises that support and nurture the development of analysis skills rather than memorized scripts, recipes, or standard command line or GUI settings for a particular tool. We are inspired by the tenets of the hacker curriculum (http://www.hackercurriculum.org), such as learning through failure modes and a purposeful cross-layer approach to topic introduction and exploration.
We want to create exercises that force students to think rather than just follow a script. We craft every scenario so that three or four approaches are valid, and students can re-run the scenario with the extra knowledge they’ve learned to have a totally different experience. In addition, each scenario is “live” and dynamic — nothing is canned.
We believe that learning can be enhanced by an interactive, team competition-based approach to practicing cyber security skills and principles in an open-source, publicly available, customizable, “live-fire” setting. This platform specifically rewards the time students spend on analysis, debugging, testing, and reverse-engineering. The project will address a key research question: understanding of how best to represent and explain the security implications and semantics of configuration choices (the parameter space of a scenario) to an instructor with limited knowledge of information security. We are developing a scenario description language (SDL) to do this.
The research and development agenda focuses on investigating three core issues: (1) the construction of a suite of cybersecurity scenarios; (2) the deployment of this platform in a variety security testbeds and cloud environments (at no cost to students or instructors); and (3) an understanding of how such scenarios might be used as an evaluation and assessment tool for both students in the course of their studies as well as an independent benchmark for other cybersecurity training programs, curricula, and exercises. The project has a potential to significantly advance the integration of cybersecurity into the undergraduate computer science curriculum. By providing interactive, competitive exercises, it will enhance the quality of instructional material, increasing active learning for students. By making it easy for the instructors to use, it will encourage them to integrate cybersecurity into the current core curriculum. These exercises will also provide rapid feedback to students and faculty, which will aid in assessment of student learning. We contemplate a significant outreach effort which will also facilitate this process.
Our goal in this outreach is to provide a publicly accessible environment with a minimal barrier to entry. EDURange helps students buy into the process of sharpening their information security analysis skills and makes them a partner in evaluating and understanding the limits of those skills.